Malware day

This Malware Day is a cross-team workshop organized by INRIA/IRISA and CentraleSupelec Rennes.
It will be held on 23 may 2019 in the amphitheater of CentraleSupelec Rennes.
This workshop is open to any researcher in the field of Malware Analysis. All INRIA/IRISA members and CentraleSupelec students are also welcome.
Registration is free but mandatory before 21 may : https://evento.renater.fr/survey/malware-day-k0k3om24

Program

Detailed program

10:00 – 10:30  Lamine Noureddine (TAMIS)

Clustering of packed binaries

Abtract: A limit of supervised learning is to not be able to recognize classes that were not present in the ground truth. This means that packer families for which a classifier has not been trained will not be recognized. In this work,we use unsupervised learning techniques, more particularly clustering, in order to provide information about packed binaries, and then we discuss the possible practical uses cases.
Bio: Lamine is a 2nd year PhD student in TAMIS

10:30 – 11:00  Cedric Herzog (CIDRE)

Contrer les “malware” évasifs via instrumentation de l’API Windows

Abtract: Beaucoup de “malware” cherchent à fonctionner le plus longtemps possible sans être vus.
Pour cela, ils mettent en place des techniques permettant de stopper leur fonctionnement à la moindre suspicion d’analyse/manipulation externe.
Nous cherchons ici à activer ce comportement via instrumentation de l’API Windows.
Bio: Cedric is a 1st year PhD student in CIDRE

11:00 – 11:30  Cassius Puodzius (TAMIS)

Malware classification based on behavioral description model

Abtract: Malware classification is an important task to gain visibility about computer threats and to improve defense mechanisms, especially for security companies that collect hundreds of thousand new samples every day. Tools like Yara look for syntactic properties of binaries in order to match a given signature, however techniques such as packing and virtualization are able to bypass those signatures by changing the binary’s syntax  without essentially changing its behavior. In this research, we apply machine learning methods to derive signatures and consecutively classify samples that are based on behavioral model, which is more robust that its counterpart syntactical model.
Bio: Currently first year PhD student in TAMIS, after working for four years in the cybersecurity field, especially in malware-related research.

11:30 – 12:00  Bruno Lebon (TAMIS)

MASSE: Modular Automated Syntactic Signature Extraction

Abtract: We present the MASSE architecture, a YARA-based open source client-server malware detection platform. MASSE includes highly effective automated syntactic malware detection rule generation for the clients based on a server-side modular malware detection system. Multiple techniques are used to make MASSE effective at detecting malware while keeping it from disrupting users and hindering reverse-engineering of its malware analysis by malware creators.
Bio: Bruno is a research engineer in TAMIS

14:00 – 14:45  INVITED SPEAKER : Ziya Alper Genç (University of Luxembourg)

Another Look at Anti-Ransomware Systems

Abtract: Cryptographic ransomware is a type of malware that encrypts files and makes them unavailable unless the victim pays up. To contain the damage of this cyber-threat, several anti-ransomware systems are proposed by the security community.
In this talk, we will review state-of-the-art anti-ransomware systems and discuss the limitations of the employed methods therein. Next, using these weaknesses, we will design a ransomware which can bypass current defences, even used in combination. To support the theoretical discussion, we will test a prototype implementation of our novel ransomware against select anti-ransomware solutions available as a software package. Finally, we will conclude the talk by discussing
possible techniques to stop this new ransomware variant.
Bio: coming soon…

14:45 – 15:15  Routa Moussaieb (IRIS)

From Ransomware to Malware… Are Network Alerts Enough?

Abtract: To join the arm race against ransomware, we propose in our work a detection model based on the collected system and network logs from a computer. Packet level detection is performed to grant the best use case scenario. Our goal is to provide an independent third-party procedure that is able to distinguish between a benign software and a malicious ransomware based on network activity.
The main steps of our work are summarized as follows:
1. Providing a mechanism for data filtering based on open source tools.
2. Creating ransomware models via machine learning on network flows.
3. Evaluating ransom notes and encrypted files to check whether the detection occurred at a time t inferior at the start of the encryption.
——————————————————————————————————————————————————————-
Nous proposons dans notre travail un modèle de détection de ransomware basé sur les informations collectées au niveau système et réseau. La détection niveau paquet est effectuée. Notre objectif est de fournir une procédure capable de faire la distinction entre un logiciel bénin et un ransomware basée sur l’activité du réseau.
Les principales étapes de notre travail sont résumées ci-dessous :
1. Fournir un mécanisme de filtrage des données.
2. Création de modèles de ransomware par apprentissage automatique sur les flux réseaux.
3. Evaluation des notes de rançons et des fichiers chiffrés pour voir si la détection a lieu avant ou après le chiffrement.
Bio: I am a PhD student in Cyber Security working at IMT Atlantique (IRIS team) and INRIA (LHS).
I am currently in my second year. My thesis focuses on analyzing malware in order to detect and thwart its malicious actions on the victim.
I am particularly interested in ransomware since they present a high threat on individuals and companies.

15:15 – 15:45  Louis Bida (LHS)

DaD an efficient way to detect ransomware

Abtract: Most ransomware encrypt the user data. From this observation, we can focus the detection approach on the file system write operation that contain encrypted data. This is the general idea behind the Data aware Defense (DaD) detection tool. This talk presents DaD basics, results and evolution.
Bio: Louis is a R&D engineer, he is specialized in embedded software and security. His education give him strong knowledge in computer science and some basic in electronic. Louis worked for companies that developing embedded product for automotive and security solution. At LHS Louis works on ransomware detection and countermeasure, mostly on DaD prototype and MoM platform.

15:45 – 16:15  Matthieu Mastio (TAMIS)

Side channel analysis for malware detection

Abtract: The analysis of information which is unintentionally emitted by the underlying hardware device ( like power consumption or electromagnetic emanation) is generally used to attack sensitive information (e.g., cryptographic keys) processed in hardware.We will present here the novel approach of using side-channel information, which cannot be easily controlled or hidden by the attacker, to detect if a device is infected by a malware.

Bio: Matthieu is a postdoc in TAMIS, currently working on malware detection. His PhD is about distributed multi-agent simulations.